DCOM Security

Microsoft® Windows® 2000 Scripting Guide

DCOM, the architecture underlying the interaction of the WMI scripting library with the WMI service, provides a mechanism known as impersonation. Impersonation enables you to specify whom the WMI service should act as when carrying out a task.

The default, and the recommended, impersonation level is Impersonate. This enables the WMI service to act on your behalf, using your credentials. You can also give the WMI service the right to contact other DCOM-based services and enable them to use your credentials. This level of impersonation is known as Delegate and has some security risks associated with it.

What kind of security risks? By default, DCOM supports only single-hop impersonation. Suppose you run a script on Computer A, and that script needs to retrieve information from Computer B. The script can impersonate you on the "single hop" between computers A and B. But what if Computer B needs to retrieve information from a third computer? By default, the script cannot impersonate you on this "double hop" from Computer A to Computer B to Computer C. Because of this, the script will fail.

It is possible to allow Computer B to also use your credentials; for that matter, you can also allow computers C, D, and E to use your credentials. This is where the security risk occurs. With single-hop security, you are limited to working with at most two computers. As a result, any problems can be confined to computers A and B. With delegation, and with multi-hop security, problems can spread to many computers.

The different DCOM security levels are discussed in more detail in the "Writing WMI Scripts" section of this chapter. That section will also discuss additional safeguards that help reduce the potential risks associated with delegation.